Network system for secure communication

ABSTRACT

In a network system (100) for wireless communication an enrollee (110) accesses the network via a configurator (130). The enrollee acquires a data pattern (140) that represents a network public key via an out-of-band channel by a sensor (113). The enrollee derives a first shared key based on the network public key and the first enrollee private key, and encodes a second enrollee public key using the first shared key, and generates a network access request. The configurator also derives the first shared key, and verifies whether the encoded second enrollee public key was encoded by the first shared key, and, if so, generates security data and cryptographically protects data using a second shared key, and generates a network access message. The enrollee processor also derives the second shared key and verifies whether the data was cryptographically protected and, if so, engages the secure communication based on the second enrollee private key and the security data.

FIELD OF THE INVENTION

The invention relates to a network system for wireless communicationbetween network devices in an area, the network system being arrangedfor secure communication according to a security protocol.

The present invention relates generally to the field wireless networking(e.g. Wi-Fi), in particular to configuring wireless networks in a securemanner.

BACKGROUND OF THE INVENTION

Over the last decades wireless networks have been provided in manylocations. Providing a degree of security for using, accessing or datatraffic on the network is a common requirement. A new device that wantsto use the network, i.e. a device seeking to join a wireless network, isusually called an enrollee. The enrollee needs to have some credentials,whereas the network has to keep track of the network access. Suchfunction may be performed by a so called registrar or configurator, i.e.a device with the authority to issue and revoke access to a network,which may be integrated into a wireless access point (AP), or providedas a separate device. The access point may function as a proxy between aregistrar and an enrollee.

However, if such credentials are exchanged via wireless communication,third parties also receiving messages may access the credentials and maybe able to manipulate the access rights, and/or get unwanted access toprivate information of the enrollee and further data that is exchangedbetween the network and the enrollee. For example, public places likerestaurants and cafes may operate such networks.

For getting secure access to such rather open networks various optionshave been proposed for exchanging identity and/or credentials forgetting access to the network. Such credentials may, for example,comprise a passphrase that is selected for the network and is generallykept secret but revealed to the user of the enrollee so as to be enteredto the enrollee. Such a passphrase may be used to generate a shared keybetween the enrollee and the network. More advanced security systems mayuse a well-known system of paired sets of key data commonly called apublic key and a private key, such as the RSA public-key system. The RSApublic-key system is widely used for secure data transmission. In such acryptosystem, the encryption key is public and differs from thedecryption key which is kept secret. In RSA, this asymmetry is based onthe practical difficulty of factoring the product of two large primenumbers, the factoring problem. RSA is made of the initial letters ofthe surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who firstpublicly described the algorithm in 1977. A user of RSA creates and thenpublishes a public key based on two large prime numbers, along with anauxiliary value. The prime numbers must be kept secret. Anyone can usethe public key to encrypt a message, but with currently publishedmethods, if the public key is large enough, only someone with knowledgeof the prime numbers can feasibly decode the message. Hence the publickey may be revealed to anyone wanting secure communication with asecured device, while the corresponding private key is only known to thesecured device. DiffieHellman key exchange (DH) can also be based onpublic/private Elliptic Curve Cryptography (ECC) key pairs are onseveral key pairs. The shared secret can be computed as(PubKey₁+PubKey₂+ . . . +PubKey_(N))*(PrivKey_(N+1)+ . . .+PrivKey_(N+M)), which equals (PubKey_(N+1)+PubKey_(N+2)+ . . .+PubKey_(N+M))*(PrivKey₁+ . . . +PrivKey_(N)), where the additions andmultiplications are not the usual algebraic additions andmultiplications, but are performed on points on an elliptic curve andwhere one device keeps {PrivKey₁, . . . , PrivKey_(N)} secret, but makesthe corresponding public keys {PubKey₁, . . . , PubKey_(N)} available toother devices and knows {PubKey_(N+1), PubKey_(N+2), . . . ,PubKey_(N+M)), so it can derive a shared secret, and the other wayaround. Examples below use N=1 and M=2.

Further security may be achieved based on generating so called sharedkey material at both the enrollee and the configurator using both publicand private keys at both sides. Such a shared key is generated at theenrollee based on the public network key and the private enrollee key,whereas the same key (hence called shared key) can be generated at theconfigurator side based on the private network key and the publicenrollee key. Various cryptographic methods are known for generatingsuch shared keys, e.g. the Diffie-Hellman key exchange (DH). DH is aspecific method of securely exchanging cryptographic keys over a publicchannel and one of the earliest practical examples of public keyexchange implemented within the field of cryptography. Traditionally,secure encrypted communication between two parties required that theyfirst exchange keys by some secure physical channel, such as paper keylists transported by a trusted courier. The Diffie-Hellman key exchangemethod allows two parties that have no prior knowledge of each other tojointly establish a shared secret key over an insecure channel. This keycan then be used to encrypt subsequent communications using a symmetrickey cipher.

The Diffie-Hellman key exchange method is such that nobody listening tothe protocol exchange can compute the Diffie-Hellman key. However,either party must make certain that the public key that they havereceived from the other party is indeed from the right party. Amalicious third party, usually called a man-in-the-middle, may give hispublic key to two parties instead of the intended respective publickeys, and so set up a Diffie-Hellman key with each of these two, whilethese two parties are thinking that they communicate directly. So inthis case, the man-in-the-middle can decrypt the communication from oneparty, use it at will, encrypt it with the DH key for the other part andsend it to the other party, without the two parties being aware. If atleast one of the two parties transfers his public key, using an Out OfBand (OOB) channel that they trust as explained below, to the other oneor if the two parties exchange their public keys using a trusted OOBchannel, then they can make sure that there is no man-in-the-middlepresent, by refusing to perform the DH protocol with a party whosepublic key that have not received OOB. Instead of transferring thepublic key via OOB, also a derivative of the public key, e.g. the hashof the public key, may be transferred. If a party offers its public keyto another party, the other party computes the hash of that public keyand checks whether the computed hash is the same as the hash receivedover OOB. An example of this is the use of Near Field Communication(NFC) as an OOB channel in the “Connection Handover” method in section10.1.3 of the Wi-Fi Simple Configuration Technical Specification Version2.05 [ref1].

Further improved strength against attackers trying to break the secretscan be achieved using elliptic curve cryptography. Elliptic curvecryptography (ECC) is an approach to public-key cryptography based onthe algebraic structure of elliptic curves over finite fields. ECCrequires smaller keys compared to non-ECC cryptography (based on plainGalois fields) to provide equivalent security. Elliptic curves areapplicable for encryption, digital signatures, pseudo-random generatorsand other tasks. They are also used in several integer factorizationalgorithms that have applications in cryptography, such as Lenstraelliptic curve factorization. Public-key cryptography is based on theintractability of certain mathematical problems. Early public-keysystems are secure assuming that it is difficult to factor a largeinteger composed of two or more large prime factors. Forelliptic-curve-based protocols, it is assumed that finding the discretelogarithm of a random elliptic curve element with respect to a publiclyknown base point is infeasible, which is called the “elliptic curvediscrete logarithm problem”. The security of ECC depends on the abilityto compute a point multiplication and the inability to compute themultiplicand given the original and product points. The size of theelliptic curve determines the difficulty of the problem. Variouscryptographic schemes have been adapted based on such elliptic curves.

The exchange of credentials may further be controlled to be within apredefined location by initially requiring the use of a proximity basedcommunication channel different from the wireless communication providedvia the network. A well known example is called Wi-Fi Protected Setup(WPS, see [1]) introduced in 2006, the goal of the protocol being toallow home users who know little of wireless security and may beintimidated by the available security options to set up Wi-Fi ProtectedAccess, as well as making it easy to add new devices to an existingnetwork without entering long passphrases. The WPS standard emphasizesusability and security, and allows a few modes in a home network foradding a new device to the network: PIN, Push button or NFC. In the PINmethod a personal identification number (PIN) has to be read from eithera sticker or display on the new wireless device. This PIN must then beentered at a device representing the manager of the network, usually thenetwork's access point. Alternately, a PIN provided by the access pointmay be entered into the new device. In the Push button method the userhas to push a button, either an actual or virtual one, on both theaccess point and the new wireless client device. On most devices, thisdiscovery mode turns itself off as soon as a connection is establishedor after a delay (typically 2 minutes or less), whichever comes first,thereby minimizing its vulnerability. A third method is based on NearField Communication (NFC), in which the user has to bring the new clientclose to the access point to allow a near field communication betweenthe devices. NFC Forumcompliant RFID tags can also be used in the WPSsystem. Support of this mode is optional. Such additional proximitybased communication channel is usually called an out-of-band channel(OOB).

Radio-frequency identification (RFID) is the wireless use ofelectromagnetic fields to transfer data, for the purposes ofautomatically identifying and tracking tags attached to objects. Thetags contain electronically stored information. Some tags are powered byelectromagnetic induction from magnetic fields produced near the reader.Some types collect energy from the interrogating radio waves and act asa passive transponder. Other types have a local power source such as abattery and may operate at hundreds of meters from the reader. Unlike abarcode, the tag does not necessarily need to be within line of sight ofthe reader and may be embedded in the tracked object.

A further example based on near field communication (NFC) is describedin [ref1], chapter 10 “NFC Out-of-Band Interface Specification” for WLANconfiguration. Here an NFC Tag is to be provided at the Enrollee device.The NFC tag is used to physically transfer a device password from theEnrollee to an NFC-enabled Registrar at close range. The device passwordwill then be used with an in-band registration protocol to provision theEnrollee with WLAN configuration data. An NFC Password Token may beintegrated into the device if the device is portable and themanufacturer assumes no practical difficulty for the user to physicallymove the device close to a Registrar NFC Device. Such a networkregistrar device that enables a new device to access the network, i.e.enabling configuration of the network and the enrollee by having theenrollee and the network exchange the required credentials in a secureway, is from here called a configurator. In the known system of [ref1],the enrollee may be required to provide an enrollee password to aconfigurator at close range via an OOB channel. There are more waysdescribed in [ref 1] to use the OOB channel, e.g. the exchange of hashesof public keys.

WO2010/023506 describes secure pairing and association for wirelessdevices, which devices enable use of a fixed secret value and fixedpublic key in a first device for use in pairing and association of thefirst device with a second device without compromising forward secrecy.The first and second devices may establish a first shared secret key inaccordance with a public key agreement protocol based at least in partupon the fixed public key of the first device and a public keyassociated with the second device. The first shared secret key may beused for verification of a second shared secret key. The second sharedsecret key may be established based at least in part upon the public keyassociated with the second device and a fresh public key generated bythe first device and may be used to facilitate encrypted communicationsbetween the devices.

SUMMARY OF THE INVENTION

Exchange of credentials in a secure way in public places is required,and the enrollee may be required to provide his credentials to theconfigurator. However, it may be bothersome for the user to bring hisdevice in close proximity of a configurator, and/or it may be bothersomefor the operator of the network to provide physical access to theconfigurator for each customer that wishes network access. Neverthelessthe operator of such a network would like it that his customers can getsecure access to his network in a very simple way, while both theenrollee and the configurator can be sure that no third party is able toaccess data transferred between the enrollee and the network and cannotinterfere or play a man-in-the-middle role.

It is an object of the invention to provide a system for secure accessto a public wireless network that enables a more convenient access forenrollees.

For this purpose, a network system, devices and methods are provided asdefined in the appended claims.

The network system is arranged for wireless communication betweennetwork devices in an area, and for secure communication according to asecurity protocol. The network system comprises

at least one network device arranged for wireless communication andarranged to act as an enrollee according to the security protocol forgetting access to the network, to have a first enrollee public key and acorresponding first enrollee private key and to have a second enrolleepublic key and a corresponding second enrollee private key,

a network device arranged to act as configurator and arranged to enablesecure communication for the enrollee according to the securityprotocol, and to have a configurator public key and a correspondingconfigurator private key and to have, for the network system, a networkpublic key and a corresponding network private key, the enrolleecomprising an enrollee sensor and an enrollee processor arranged to

acquire a data pattern via an out-of-band channel by the enrolleesensor, the data pattern being provided in the area and representing thenetwork public key,

derive a first shared key based the network public key and the firstenrollee private key,

encode the second enrollee public key using the first shared key,

generate a network access request according to the security protocol,the network access request including the encoded second enrollee publickey and the first enrollee public key, and

transfer the network access request to the configurator via the wirelesscommunication; the configurator comprising a configurator processorarranged to

receive the network access request from the enrollee via the wirelesscommunication,

derive the first shared key based on the network private key and thefirst enrollee public key,

decode the encoded second enrollee public key using the first sharedkey,

verify whether the encoded second enrollee public key was encoded by thefirst shared key, and, if so,

generate security data using the second enrollee public key and theconfigurator private key,

derive a second shared key based on the first enrollee public key, thesecond enrollee public key and the network private key,

protect cryptographically using the second shared key at least one ofthe security data and configurator public key, and

generate a network access message according to the security protocol,the network access message including at least one of the protectedsecurity data and protected configurator public key;

the enrollee processor further arranged to

receive the network access message from the configurator via thewireless communication,

derive the second shared key based on the first enrollee private key,the second enrollee private key and the network public key,

verify whether at least one of the protected security data and theprotected configurator public key was cryptographically protected by thesecond shared key and, if so,

engage the secure communication based on the second enrollee private keyand the security data.

A first network device acts as configurator device, also calledconfigurator. The configurator device comprises a configuratorcommunication unit arranged to receive, from the enrollee device, thenetwork access request according to the security protocol, the networkaccess request including the encoded second enrollee public key and thefirst enrollee public key, and a configurator processor comprising amemory arranged to have, for the configurator device, the configuratorpublic key and a corresponding configurator private key and to have, forthe network system, the network public key and a corresponding networkprivate key. The configurator processor is arranged to

derive the first shared key based on the network private key and thefirst enrollee public key,

decode the encoded second enrollee public key using the first sharedkey,

verify whether the encoded second enrollee public key was encoded by thefirst shared key, and, if so,

generate the security data using the second enrollee public key and theconfigurator private key,

derive the second shared key based on the first enrollee public key, thesecond enrollee public key and the network private key,

protect cryptographically, using the second shared key, at least one ofthe security data and the configurator public key, and

generate the network access message according to the security protocol.

As the configurator configures the network and network devices enteringthe network, so-called enrollees, the configurator device must be ableto communicate with other network devices wirelessly, directly orindirectly via a wireless communication device like an access point. Assuch, the configurator does not have to be part of the network itself,i.e. it may or may not be able to participate in communication acrossthe network that is being configured.

A second network device acts as enrollee device, also called enrollee.The enrollee device comprises

an enrollee wireless communication unit arranged for wirelesscommunication;an enrollee sensor arranged to acquire a data pattern via an out-of-bandchannel, the data pattern being provided in the area and representingthe network public key;and an enrollee processor comprising a memory arranged to have the firstenrollee public key and a corresponding first enrollee private key andto have the second enrollee public key and a corresponding secondenrollee private key. The enrollee processor is arranged to

derive the first shared key based on the network public key and thefirst enrollee private key,

encode the second enrollee public key using the first shared key,

generate the network access request according to the security protocol,the network access request including the encoded second enrollee publickey and the first enrollee public key, and

transfer the network access request to the configurator device via theenrollee wireless communication unit.

The enrollee processor is further arranged to

receive the network access message from the configurator via theenrollee wireless communication unit,

derive the second shared key based on the first enrollee private key,the second enrollee private key and the network public key,

verify whether at least one of the protected security data and theprotected configurator public key was cryptographically protected by thesecond shared key and, if so,

engage the secure communication based on the second enrollee private keyand the security data.

In the context of the current network system the enrollee has anenrollee sensor that is able to receive information via a so-calledout-of-band (OOB) channel, as elucidated above, from a so called datapattern that represents this information, for example a QR code, colorpattern or NFC tag containing a data pattern representing the networkpublic key.

In general, protecting the privacy and/or the integrity of data involvesa form of encrypting and/or adding a cryptographic hash based on keymaterial, which may be expressed by the general word ‘encoding’. Soencoding information with a key may mean encrypting the information witha key, e.g. by using AES. For example, the step of “protectingcryptographically at least one of the security data and configuratorpublic key using the second shared key” has the following function. Inthis step protecting is a type of encoding, in which the security dataand the configurator public key may, but need not be kept secret, sothis step may or may not involve encryption with a key. But thereceiving party must be sure that the “protected data” are correct, soit must be possible to check their integrity. So ‘protecting’ is to beinterpreted as ‘protecting for integrity’, such as generating acryptographic signature and/or ‘encrypting’ the material includingfurther check data, checksums or other unique data. Protectinginformation cryptographically with a key may also mean protecting theintegrity of the information with that key, which may be done by addinga cryptographic hash using the key over the information, so that partiesthat know the key can check the integrity of the information. One canalso say that the cryptographic hash authenticates the information asoriginating from a party that knows the key. A cryptographic hashfunction is a hash function that besides the data to be hashed as input,also needs a key as input, with the resulting hash of course beingdependent on the key, e.g. AES-SIV (refer to RFC 5297, [2]) accomplishesboth encryption and integrity protection based on a key. The step‘verify whether . . . ’ on the data as received embodies the check ofintegrity so as to achieve the integrity protection. This step mayinvolve decryption, depending on the protection method used. If e.g.AES-SIV (refer to RFC 5297, [2]) is used for protection, the step‘verify whether . . . ’ involves also the decryption of the data.Furthermore, ‘protect at least one of the security data and configuratorpublic key using the second shared key’ can be interpreted as “generateintegrity protection information for at least one of the security dataand configurator public key using the second shared key” and then putthe integrity protection information and the at least one of thesecurity data and configurator public key in the network access message.

Advantageously, in the network system, the enrollee is enabled toefficiently engage the secure communication based on its own secondenrollee private key and the security data as received via the networkaccess message. Thereto the enrollee first establishes an effectiveout-of-band channel formed by using the enrollee sensor to acquire thedata pattern. The data pattern is made available in the area where thenetwork system manager intends to allow enrollees to access the networksystem. Then the enrollee initiates a security protocol using thewireless communication.

Further advantageously, the system manager controls the area whereenrollees can enter the system, while credentials are securely exchangedwith the configurator in a way that prevents a man-in-the-middle attack.By having the enrolling process initiated by the enrollee itself via theout-of-band channel a minimum number of wireless messages, i.e. thenetwork request message and the subsequent network access message,suffice for said secure exchange of credentials.

Optionally a configurator device can set up another device to signpublic keys on behalf of the configurator device. Such combination ofdevices is considered to be an implementation of the configurator asdefined in the network system. One of the things that must be done bythe configurator device is to give this other device its signing privatekey or to obtain the other device's signing public key, sign it with theconfigurator's signing private key, and send the signed other device'ssigning public key, and the configurator's signing public key to theother device. When the other device signs a public key from an enrollee,it sends in the second case its public signing key, the signatureprovided by the configurator and the configurator's public signing keyto the enrollee, so the enrollee can check the signature of its publickey and the signature over the other device's public signing key.

Optionally in the above network system, the configurator processor isarranged to generate a temporary network public key and a correspondingtemporary network private key, which keys constitute the network publickey and the corresponding network private key. This defines making thenetwork key pair an ephemeral (temporary, one-time use) one. In a systemwhere the network public key which is static, one of the previousenrollees might have put this public key on the Internet and anybody cancontact the configurator. The advantage of the ephemeral key is that ifan enrollee contacts the configurator over Wi-Fi and the network publickey has been generated moments ago, the enrollee can only know thisnetwork public key, because it has obtained this key just before via theout of band mechanism.

Optionally in the above network system, the enrollee processor isarranged to generate a temporary enrollee public key and a correspondingtemporary enrollee private key, which keys constitute the first enrolleepublic key and the corresponding first enrollee private key; and/or theenrollee processor is arranged to generate a further temporary enrolleepublic key and a corresponding further temporary enrollee private key,which keys constitute the second enrollee public key and thecorresponding second enrollee private key. The advantage of such anephemeral key is that if an enrollee communicates with the configuratorover Wi-Fi and the key has been generated a moment ago, only theenrollee and the configurator can know this key, because it has justbeen generated.

Optionally in the above system, the security data is authorizationinformation from the configurator, which authorization informationauthorizes the enrollee to access the network. Advantageously, suchsecurity data can be used to authorize the enrollee to access thenetwork.

Optionally in the above network system, the configurator processor isfurther arranged to generate the security data by providing aconfigurator session key and transferring the configurator session keyto the enrollee; and the enrollee processor is further arranged toreceive the configurator session key and engage the secure communicationbased on the configurator session key. For example, the configuratorsession key may be a Wi-Fi passphrase known as such. The embodimentenables to transfer the Wi-Fi passphrase of a legacy access point to anenrollee that is implemented according to the invention.

Optionally in the above network system, the configurator processor isfurther arranged to generate a further message including the secondenrollee public key and the digital signature, and transfer the furthermessage to a further device for enabling secure communication betweenthe enrollee and the further device. Advantageously, the configuratoralso distributes the second enrollee public key and the digitalsignature to further network devices, and so controls and authorizes thesecure communication with the enrollee. A similar message may be send tothe enrollee for verifying the signature.

Optionally in the above network system, the enrollee processor isfurther arranged to receive the further public key and the furtherdigital signature from the configurator or from the further networkdevice. Advantageously, the enrollee receives credentials that areauthorized by the configurator, either from the configurator or from thefurther network device. When the enrollee receives such credentials fromthe further network device a direct set up of secure communication tothe further device is enabled.

Optionally in the above network system, the configurator processor isfurther arranged to generate the security data by generating aconfigurator session public key and a corresponding configurator sessionprivate key, deriving a third shared key based on the configuratorsession private key and the second enrollee public key and transferringthe configurator session public key to the enrollee. The enrolleeprocessor is further arranged to receive the configurator session publickey, derive the third shared key based on the second enrollee privatekey and the configurator session public key and engage securecommunication based on the third shared key. Advantageously generatingsuch a configurator session public/private key pair enables furthersecure communication between enrollee and configurator based on thethird shared key.

Optionally in the above network system, the enrollee processor isfurther arranged to generate an enrollee session public key and acorresponding enrollee session private key, derive a fourth shared keybased on the enrollee session private key and the configurator publickey and transferring the enrollee session public key to theconfigurator; and the configurator processor is further arranged toderive the fourth shared key based on the configurator private key andthe enrollee session public key and engage secure communication based onthe fourth shared key. Advantageously, the enrollee may so generate asession key pair, and use the private/public key pair for deriving afurther shared key.

Optionally in the above network system, the network system comprises afurther network device arranged to receive the second enrollee publickey and the security data, provide a session network public key and acorresponding session network private key, derive a fifth shared keybased on the session network private key and the second enrollee publickey and transferring the session network public key to the enrollee. Theenrollee processor is further arranged to receive the session networkpublic key, derive the fifth shared key based on the second enrolleeprivate key and the session network public key, and engage securelycommunication with the further network device based on the fifth sharedkey. Advantageously generating such a further session networkpublic/private key pair enables further secure communication betweenenrollee and further network device based on the fifth shared key

Optionally in the above network system, the configurator processor isfurther arranged to generate the security data comprising a digitalsignature by digitally signing the second enrollee public key with theconfigurator private key, to transfer the digital signature to a thirddevice and/or to the enrollee for enabling secure communication betweenthe enrollee and the third device. By transferring the digital signatureof the configurator to a third device, the digital signature enablessecure communication between the enrollee and the third device.Advantageously, the configurator provides the digital signature as thesecurity data for the second enrollee public key, so that the thirddevice can verify that said second enrollee public key is to be trusted.

Furthermore optionally in the preceding network system, the enrolleeprocessor is further arranged to receive the digital signature, verify,based on the digital signature and the configurator public key, whetherthe second enrollee public key was correctly signed and, if so, engagethe secure communication based on the second enrollee private key.Advantageously, the enrollee can detect whether the configurator hascorrectly signed the second enrollee public key.

Furthermore optionally in the preceding network system, the networksystem comprises a further network device arranged to obtain theconfigurator public key, receive the digital signature and the secondenrollee public key, verify, based on the digital signature and theconfigurator public key, whether the second enrollee public key wascorrectly signed and, if so, engage the secure communication with theenrollee based on the second enrollee public key. Advantageously, thefurther network device can detect whether the configurator has correctlysigned the second enrollee public key, and engage the securecommunication.

Optionally in the above network system, the configurator processor isfurther arranged to generate further security data comprising a furtherdigital signature by digitally signing, with the configurator privatekey, a further public key of a further network device. The enrolleeprocessor is further arranged for using the further security data byreceiving the further public key and the further digital signature,verifying, based on the further digital signature and the configuratorpublic key, whether the further public key was correctly signed and, ifso, securely communicating with the further network device using thesecond enrollee private key and the further public key. Advantageously,the enrollee can detect whether the configurator has correctly signedthe further public key, and engage the secure communication.

Optionally in the above network system, the enrollee processor isfurther arranged to generate enrollee test data, encode the enrolleetest data using the second shared key, transfer the encoded enrolleetest data to the configurator. The configurator processor is furtherarranged to decode the encoded enrollee test data using the secondshared key, verify whether the enrollee test data was encoded by thesecond shared key at the enrollee. Advantageously, if the enrollee hasperformed something wrong anywhere in the protocol up to now, e.g.accidentally mixing up configurators and replying to the wrong one, theconfigurator can know the error based on the received test data and thetest that it computes itself. Such test data can be considered toauthorize the enrollee to the configurator.

Optionally in the above network system, the configurator processor isfurther arranged to generate configurator test data, encode theconfigurator test data using the second shared key, transfer the encodedconfigurator test data to the enrollee. The enrollee processor isfurther arranged to decode the encoded configurator test data using thesecond shared key, verify whether the configurator test data was encodedby the second shared key at the configurator. Advantageously, if theconfigurator has performed something wrong anywhere in the protocol upto now, e.g. accidentally mixing up enrollees and replying to the wrongone, the enrollee can know the error based on the received test data andthe test that it computes itself. Such test data can be considered toauthorize the configurator to the enrollee.

Various operational elements in the above system may be implemented byperforming respective methods as also further defined in the appendedclaims.

The enrollee method comprises

storing the first enrollee public key and a corresponding first enrolleeprivate key and the second enrollee public key and a correspondingsecond enrollee private key,

acquiring a data pattern (140) via an out-of-band channel, the datapattern being provided in the area and representing the network publickey,

deriving the first shared key based on the network public key and thefirst enrollee private key,

encoding the second enrollee public key using the first shared key,

generating the network access request according to the securityprotocol, the network access request including the encoded secondenrollee public key and the first enrollee public key, and

transferring the network access request to the configurator device viathe enrollee wireless communication unit.

The enrollee method further comprises

receiving the network access message from the configurator,

deriving the second shared key based on the first enrollee private key,the second enrollee private key and the network public key,

verifying whether at least one of the protected security data and theprotected configurator public key was cryptographically protected by thesecond shared key and, if so,

engaging the secure communication based on the second enrollee privatekey and the security data.

The configurator method comprises

storing, for the configurator device, the configurator public key and acorresponding configurator private key and, for the network system, thenetwork public key and a corresponding network private key,

receiving, from the enrollee device, the network access requestaccording to the security protocol, the network access request includingthe encoded second enrollee public key and the first enrollee publickey,

deriving the first shared key based on the network private key and thefirst enrollee public key,

decoding the encoded second enrollee public key using the first sharedkey,

verifying whether the encoded second enrollee public key was encoded bythe first shared key, and, if so,

generating the security data using the second enrollee public key andthe configurator private key,

deriving the second shared key based on the first enrollee public key,the second enrollee public key and the network private key,

protecting cryptographically, using the second shared key, at least oneof the security data and the configurator public key, and

generating the network access message according to the securityprotocol.

Also, the elements or methods in the above system may be implemented byrespective devices for use in a network system as defined above. Thedevice comprises a wireless transceiver arranged for the wirelesscommunication. The device is arranged to act as configurator andcomprising a device processor arranged to be the configurator processoras defined in the above system. The device may alternatively be arrangedto act as enrollee and comprising a device processor arranged to be theenrollee processor as defined in the above system.

A method according to the invention may be implemented on a computer asa computer implemented method, or in dedicated hardware, or in acombination of both. Executable code for a method according to theinvention may be stored on a computer program product. Examples ofcomputer program products include memory devices such as a memory stick,optical storage devices such as an optical disc, integrated circuits,servers, online software, etc. Preferably, the computer program productcomprises non-transitory program code means stored on a computerreadable medium for performing a method according to the invention whensaid program product is executed on a computer. In a preferredembodiment, the computer program comprises computer program code meansadapted to perform all the steps or stages of a method according to theinvention when the computer program is run on a computer. Preferably,the computer program is embodied on a computer readable medium.

Another aspect of the invention provides a method of making the computerprogram available for downloading, for example the location basedapplication. This aspect is used when the computer program is uploadedinto, e.g., Apple's App Store, Google's Play Store, or Microsoft'sWindows Store, and when the computer program is available fordownloading from such a store.

Further preferred embodiments of the devices and methods according tothe invention are given in the appended claims, disclosure of which isincorporated herein by reference.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other aspects of the invention will be apparent from andelucidated further with reference to the embodiments described by way ofexample in the following description and with reference to theaccompanying drawings, in which

FIG. 1 shows a network system,

FIG. 2 shows a first example of a network system and security protocol,

FIG. 3 shows a second example of a network system and security protocol,

FIG. 4 shows a third example of a network system and security protocol,

FIG. 5 shows a fourth example of a network system and security protocol,

FIG. 6 shows a fifth example of a network system and security protocol,

FIG. 7 shows an example of an enrollee method,

FIG. 8 shows an example of a configurator method

FIG. 9a shows a computer readable medium, and

FIG. 9b shows in a schematic representation of a processor system.

The figures are purely diagrammatic and not drawn to scale. In theFigures, elements which correspond to elements already described mayhave the same reference numerals.

DETAILED DESCRIPTION OF EMBODIMENTS

In order to get access to a network, an enrollee needs to transfer itsinformation to one or more other devices on the network, e.g. aconfigurator and/or an Access Point (AP) in a Wi-Fi network. Theenrollee then receives and checks signed network access information andaborts in case it finds an error, e.g. in case the signatureverification of the signed network access information fails. Anotherdevice that receives signed network access information can performsignature verification on the signed network access information to findout that it has been correctly signed by a common Configurator. If so,the other device knows that it can trust the enrollee public networkaccess encryption information contained in the received signed networkaccess information and that it can use this information in a shared keyderivation algorithm to create a link key between the enrollee anditself. The other device will have to send its own signed network accessinformation to the Enrollee, so the Enrollee can perform a similar checkand derive the same link key. From then on, the Enrollee and the otherdevice can base the protection of their wireless link on the derivedlink key. The derived link key can e.g. be used as a pairwise master key(PMK) in a Wi-Fi network. The enrollee public network access encryptioninformation may be in the form of a public Elliptic Curve Cryptography(ECC) key or a public RSA (Rivest-Shamir-Adleman cryptosystem) key, ormay be the public identity of an identity-based cryptosystem, such asHIMMO [3].

The proposed network system, also named a public network system,provides a convenient way of setting up wireless communication formobile devices in a selected area, for example in a shop or at anairport lounge, waiting area or gate. In such cases the owner of thenetwork does not care who gets access to his network, but does careabout the network set-up (SSID, frequency band, channel, etc.) and doeswant to provide link protection on his network in order to protect theprivacy of the communications of all devices on the network. Publicplaces like restaurants and cafes may operate such networks. It is verybothersome for the operator of the network to go with a configuratordevice to each customer that wished network access. Typically in thistype of network, it is the AP that is in charge of it, but devices likeAPs are usually not equipped with camera's and even if they were, it isvery inconvenient for user that want to get access to the network, toget near such an AP (it may even be mounted on the ceiling), operate itscamera end get access. Using other OOB methods is also very cumbersomein this case (making a USB connection with an AP mounted on the ceiling?Performing an NFC touch with an AP on the ceiling? Setting up a secureBluetooth link with an AP?) The operator of such a network would like itthat his customers can get secure access to his network in a very simpleway.

Similarly for e.g. a public printer in a managed environment, the ownerof the printer will want to manage the spectrum use on his premises andset the frequency band and channel of the public printer. Yet the ownerwants to have everybody access to this printer, but in a secure way.Such a printer may be equipped with a camera or a scanner to read thepublic encryption information from a smart phone with which a user wantsto print something, but the user interface of a printer is much moredifficult to get user friendly and intuitively to use than the one of asmart phone. However, it would be convenient for a user that wants toprint something on his smart phone to capture the public encryptioninformation of the printer, e.g. in the form of a public RSA or ECC-keyor the public identity of an identity-based encryption scheme, with thecamera of the smart phone and then start a print job on his smart phoneusing the information captured with the camera as the destination of theprint job.

Similarly for a public wireless docking center, a wireless dockingcenter may be connected wirelessly or in a wired fashion to severalperipheral devices like a monitor, keyboard, mouse, speakers, etc. orhave some of these as a built-in peripheral and may be able to offer theuse of these peripherals over a wireless channels to wireless dockees.Such a wireless docking center may be set up using a configurator, suchthat the wireless docking center is going to be securely connected tothe wireless peripherals. The configurator will then set up the wirelessdocking center such that the wireless docking center becomes theconfigurator of itself and the wirelessly connected peripheral devices.The configurator may give the wireless docking center some rules onwhich wireless dockees are allowed to use the wireless docking center.Such a wireless docking center may be equipped with a camera or ascanner to read the public encryption information, e.g. a public ECC orRSA key, from a smart phone with which a user wants to use the wirelessdocking center, i.e. dock with the wireless docking center. However, itwould be convenient for a user that wants to dock to the wirelessdocking center with his smart phone to capture the public encryptioninformation of the wireless docking center with the camera of the smartphone and then use the wireless docking center. The wireless dockingcenter, may display (possibly dynamic) public encryption information one.g. its screen, or have static public encryption information printed one.g. its housing.

In the proposed network system, instead of the configurator readingout-of-band the public encryption information of the enrollee, theenrollee reads the out-of-band public encryption information of theconfigurator. Note that for many OOB methods, the device which OOBinformation is read does not have to be aware that this information isread. This is true for e.g. when a code is read by a camera, scanner orhuman, when an NFC tag without electrical connection to the device isbeing read, etc.

Optionally, at the start of the wireless part of the protocol, it may bedetermined which device is going to configure the other. That means thatthe devices perform a negotiation of who is going to configure whom.Also, a mutual configuration may be engaged. Adding such a negotiationphase in the protocol would add (at least) two more messages if done ina straight-forward way.

It is proposed that the enrollee reads out-of-band public encryptioninformation of the configurator, e.g. representing a network public key,and initiates the wireless part of the protocol, so the enrollee now isthe initiator of the protocol. The network public key may also be called“configurator identity public key”.

The enrollee then sends a first message including enrollee publicnetwork access encryption information (named second enrollee public keylater on) to further information encrypted with a shared key, aselucidated below. This indicates to the other party, the configurator orresponder, that it is supposed to configure the initiator of theprotocol. Via such action, the responder has the public network accessencryption information that it needs to sign for giving the initiatoraccess to the network it is managing.

Alternatively or additionally, if the responder sends its public networkaccess encryption information to the initiator, this might be used tosignal that the responder also wants to be configured by the initiator.

Wireless technologies usually support methods with which devices can letother devices know wirelessly what they are capable of They can e.g.advertize their capabilities, i.e. they broadcast a special message withtheir capabilities. They can e.g. listen to discovery messages and onthe receipt of such a message that they think is meant for them, replywith a message that contains information on their capabilities andpossibly other information. A configurator device as proposed may havein its capability list that it can configure other devices (enrollees)according to the proposed security protocol, which requires enrollees toread OOB public encryption information and ask to be configuredthemselves.

The network devices cooperating according to the protocol have beencalled enrollee (or initiator) and configurator (or responder). In ageneral case, where it is uncertain which is going to configure theother, other names may be used. If a first network access messagecontains public network access encryption information, the sender wantsto be configured by a configurator in the responder. The responder thensends the signed network access information. Further enrolmentinformation like attributes may also be included with the public networkaccess encryption information in an early message of the proposedprotocol.

FIG. 1 shows a network system. The network system is arranged forwireless communication 150,150′ such as Wi-Fi between network devices inan area, and is arranged for secure communication according to asecurity protocol as explained below. Further specific aspects of theprotocol are described with reference to FIGS. 2 to 5.

The network system 100 comprises multiple network devices (110,120,130),each network device being able to interact via the network usingpredefined communication protocols and security protocols. The networkis arranged to provide access to further network devices in an area, forexample to provide network services to devices in the vicinity. Forexample, the network system may include an access point (AP) acting as acoupling center for other network devices that are associated with thatAP, e.g. mobile phones or laptops which have set up a link key with theAP. Communication between network devices with one another and withother networks, e.g. the corporate intranet or the Internet may go viathe AP. The devices may able to communicate directly, so not throughdevices like an AP, and may be able to set up link keys with oneanother.

The Figure shows an enrollee 110, i.e. a network device that intends toparticipate in the network in said area acting as enrollee. The enrolleeas shown has an enrollee sensor 113, an enrollee processor 111 and anenrollee wireless communication unit 112, which are arranged to engagethe secure communication according to the predefined communicationprotocols and security protocols.

The Figure shows a configurator 130, i.e. a further network device inthe network system acting as configurator. This may be a separatenetwork device, or a role embedded in an access point or other networkdevice. The configurator as shown has a configurator processor 131 and aconfigurator communication unit 132, which units are arranged tocommunicate with the enrollee according to the predefined communicationprotocols and security protocols as explained below. The configuratorcommunication unit may be a wireless communication unit. Theconfigurator communication unit may also communicate via some othernetwork channel to an access point, which access point then wirelesslycommunicates with the enrollee. To enable the configurator to controlaccess to the network system as elucidated below the configurator hasvarious credentials, such as a configurator public key and acorresponding configurator private key.

The network system 100 may comprise at least one further network device120 that is already part of the network and may be available for securecommunication with the enrollee. The further device has a further deviceprocessor and a further wireless communication unit which are arrangedto engage the secure communication according to the predefinedcommunication protocols and security protocols.

The enrollee is arranged to act according to the security protocol forgetting access to the network. In operation the enrollee has, in amemory of the enrollee processor, a first enrollee public key and acorresponding first enrollee private key and also has a second enrolleepublic key and a corresponding second enrollee private key. Theconfigurator is arranged to enable secure communication for the enrolleeaccording to the security protocol. In operation the configurator has,in a memory of the configurator processor, a configurator public key anda corresponding configurator private key for the configurator deviceand, for the network system, a network public key and a correspondingnetwork private key.

The enrollee sensor and enrollee processor are arranged to acquire adata pattern 140 via the enrollee sensor 113 is indicated by a dashedarrow 151 in the Figure. The data pattern is provided in the area andrepresents the network public key. For example, the data pattern may bea barcode or QR pattern. Acquiring the data pattern via the sensorconstitutes an out-of-band channel (OOB). Various examples of such OOBchannels and patterns have been discussed in the introduction. The OOBas constituted by the sensor acquiring the pattern operates in onedirection, i.e. obtaining information from the network to the enrollee.The enrollee sensor may be any suitable detector or receiver that candetect or receive the pattern that is used in the actual system setup,as such pattern may be provided in several ways. The pattern is providedfor the network system in an area that is intended for users of othernetwork devices, which are potentially admitted to access the network.The area may be an office, a shop, a public location, an airfield, etc.The pattern may, for example, be a QR code or a bar code, and thecorresponding sensor is a camera or IR beam detector of a mobile networkdevice. The pattern may be provided on paper, e.g. a menu or a receipt,or may be shown on a display, or in some other physical form. The OOBchannel may also be NFC or Bluetooth in the event that the networkcommunication (in band) is based on Wi-Fi, so then the enrollee sensoris a Bluetooth unit or NFC tag detector. So the sensor refers to anysuitable detector or receiver for detecting the data pattern using anout-of band channel, i.e. a channel using another technology other thanthe wireless communication technology of the network.

The enrollee processor is arranged to derive a first shared key basedthe network public key and the first enrollee private key. As such,deriving shared keys using public/private key pairs has been is known,and has been elucidated in the introduction. The enrollee processor isarranged to subsequently encode the second enrollee public key using thefirst shared key. Then the enrollee processor generates a network accessrequest according to the security protocol. The network access requestincludes the encoded second enrollee public key and the first enrolleepublic key. The enrollee processor is arranged to transfer the networkaccess request to the configurator via the wireless communication. Thenetwork access request message and subsequent messages may be in theform of so-called action frames or self-protected action frames asdefined by IEEE 802.11(2012) [4].

The configurator processor 131 is arranged to receive the network accessrequest from the enrollee via the wireless communication, eitherdirectly via the configurator communication unit 132 or via some otherwireless receiver in the network like an access point. The configuratorprocessor also derives the first shared key based on the network privatekey and the first enrollee public key. The configurator processorsubsequently decodes the encoded second enrollee public key using thefirst shared key, for example by decrypting the encoded data by apredefined cryptographic method using the first shared key. Next theconfigurator processor cryptographically verifies whether the encodedsecond enrollee public key was encoded by the first shared key. If theencoding was correct, the configurator processor decides to allow accessto the network for the enrollee and proceeds to generate security datausing the second enrollee public key and the configurator private key.The configurator processor derives a second shared key based on thefirst enrollee public key, the second enrollee public key and thenetwork private key. How multiple keys can be used has been elucidatedbefore in the introduction. Next, the configurator processorcryptographically protects at least one of the security data andconfigurator public key, while using the second shared key. For exampleas the security data, a signature may be calculated or a further sessionkey may be generated. Further detailed examples are discussed below. Theconfigurator processor then generates a network access message accordingto the security protocol. The network access message includes thecryptographically protected data, i.e. at least one of the protectedsecurity data and protected configurator public key.

The configurator role has at least two key pairs. The first pair is forsetting up the first shared secret with an enrollee. This key may changeover time or may be constant. The second pair is a key pair used forsigning the second enrollee public key (or public network key) of theenrollee, so that other devices that have been enrolled by the sameconfigurator (or a device that can sign on behalf of the configurator)know that they can trust the second enrollee public key and use it toderive a link key. A possible third key pair of the configurator may beused to set up a further shared secret. This third pair will be anephemeral pair (i.e. temporary key material for one-time use).

All devices in the network that have their second enrollee public keysigned by the configurator (or one of the devices acting on behalf ofthe configurator) can exchange their second public keys and use these ina Diffie-Hellman shared key derivation protocol, e.g. the 4-wayhandshake from IEEE 802.11 (2012) [4], to derive a link key to protecttheir future wireless communication. These signed public keys may becalled ‘signed network access information’.

The enrollee processor is further arranged to receive the network accessmessage from the configurator via the wireless communication. If suchmessage is received the enrollee processor proceeds with the enrollingprocess as follows. The enrollee processor derives the second shared keybased on the first enrollee private key, the second enrollee private keyand the network public key. Next the enrollee processor verifies whetherat least one of the protected security data and the protectedconfigurator public key was cryptographically protected by the secondshared key. If the encoding was correct, the enrollee processor decidesto access the network and proceeds to engage the secure communicationbased on its second enrollee private key and the security data. Thesecure communication may be further communication with the configurator,or with other devices in the network. Various examples of embodiments,which may be combined where appropriate, are discussed now.

In an embodiment of the above network system, the enrollee processor isarranged to generate a temporary enrollee public key and a correspondingtemporary enrollee private key, which keys constitute the first enrolleepublic key and the corresponding first enrollee private key. Suchtemporary keys may be generated by a random data generator, whichproduces a required number of random bits, defining the private key, andsubsequently calculating the corresponding public key, e.g. aselucidated in the introduction. Using such temporary keys increasessecurity, because attackers cannot use any knowledge from previoussessions.

In an embodiment of the above network system, the enrollee processor isarranged to generate a further temporary enrollee public key and acorresponding further temporary enrollee private key, which keysconstitute the second enrollee public key and the corresponding secondenrollee private key. Using a further temporary enrollee public andprivate key pair further increases security when using such temporarykeys for engaging secure communication with different network devices.

In an embodiment of the above network system, the configurator processoris arranged to generate a temporary network public key and acorresponding temporary network private key, which keys constitute thenetwork public key and the corresponding network private key. Using atemporary network public and private key pair further increases securitywhen using such temporary keys by the configurator. Also a correspondingdata pattern must be generated and exposed (e.g. printed or displayed)to make the temporary network public key available via the OOB channel.

In an embodiment of the above network system, the security data isauthorization information from the configurator, which authorizationinformation authorizes the enrollee to access the network. For example,the authorization information comprises a signature generated by theconfigurator of data already known to the enrollee, or further data suchas a certificate containing identification data of the configurator orthe network and one or more corresponding signatures, and/or respectivepublic key(s), or a signed public key of the enrollee (also called aconnector).

In an embodiment of the above network system, the configurator processoris further arranged to generate the security data by providing aconfigurator session key and transferring the configurator session keyto the enrollee. Also, the enrollee processor is further arranged toreceive the configurator session key and engage the secure communicationbased on the configurator session key. The configurator session key maybe protected by encryption during transfer. For example, theconfigurator session key may be a Wi-Fi passphrase known as such. Theembodiment enables to transfer the Wi-Fi passphrase of a legacy accesspoint to an enrollee that is implemented according to the invention.

In an embodiment of the above network system, the configurator processoris further arranged to generate the security data by generating aconfigurator session public key and a corresponding configurator sessionprivate key, and deriving a third shared key based on the configuratorsession private key and the second enrollee public key and transferringthe configurator session public key to the enrollee. Also the enrolleeprocessor is further arranged to receive the configurator session publickey, derive the third shared key based on the second enrollee privatekey and the configurator session public key and engage securecommunication based on the third shared key.

Optionally in the above system, the enrollee processor is furtherarranged to generate an enrollee session public key and a correspondingenrollee session private key, derive a fourth shared key based on theenrollee session private key and the configurator public key andtransferring the enrollee session public key to the configurator; andthe configurator processor is further arranged to derive the fourthshared key based on the configurator private key and the enrolleesession public key and engage secure communication based on the fourthshared key.

In an embodiment the above network system comprises a further networkdevice arranged to receive the second enrollee public key and thesecurity data, and provide a session network public key and acorresponding session network private key. The further network devicederives a fifth shared key based on the session network private key andthe second enrollee public key, and transfers the session network publickey to the enrollee. Also the enrollee processor is further arranged toreceive the session network public key, and derive the fifth shared keybased on the second enrollee private key and the session network publickey. Next the enrollee is enabled to engage secure communication withthe further network device based on the fifth shared key.

In an embodiment of the above network system, the configurator processoris further arranged to generate the security data comprising a digitalsignature by digitally signing the second enrollee public key with theconfigurator private key, and to transfer the digital signature to athird device and/or to the enrollee for enabling secure communicationbetween the enrollee and the third device. A valid signature enablessecure communication, because the signature gives trust to a device. Thekey used for the communication need not be based on the signature assuch. The secure communication may be based on several elements, like akey, but also on a signature over a public key, because the devicereceiving a signed public key will trust that public key and, forexample, use it for setting up a secure channel using Diffie-Hellman,because it trusts the device that has signed the public key. The trustedsigner may be the configurator.

In an embodiment of the above network system, the configurator processoris further arranged to generate a further message including the secondenrollee public key and the digital signature, and transfer the furthermessage to a further device and/or to the enrollee. As the furtherdevice now has the second enrollee public key and the digital signatureas provided by the configurator, secure communication between theenrollee and the further device is enabled.

In an embodiment of the above network system, the enrollee processor isfurther arranged to receive the digital signature. The enrolleeprocessor cryptographically verifies, based on the digital signature andthe configurator public key, whether the second enrollee public key wascorrectly signed. If so, the enrollee knows that the intendedconfigurator has signed, and the enrollee can, based on the secondenrollee private key, engage secure communication with other networkdevices that have been configured via the intended configurator.

In an embodiment the above network system comprises a further networkdevice arranged to obtain the configurator public key and receive thedigital signature and the second enrollee public key. The furthernetwork device verifies, based on the digital signature and theconfigurator public key, whether the second enrollee public key wascorrectly signed and, if so, engage the secure communication with theenrollee based on the second enrollee public key.

In an embodiment of the above network system, the configurator processoris further arranged to generate further security data comprising afurther digital signature by digitally signing, with the configuratorprivate key, a further public key of a further network device. Also, theenrollee processor is further arranged for using the further securitydata by receiving the further public key and the further digitalsignature and cryptographically verifying, based on the further digitalsignature and the configurator public key, whether the further publickey was correctly signed. If so, the enrollee may securely communicatewith the further network device using the second enrollee private keyand the further public key. Also, the enrollee processor may further bearranged to receive the further public key and the further digitalsignature from the configurator or from the further network device.

In an embodiment of the above network system, the enrollee processor isfurther arranged to generate enrollee test data, encode the enrolleetest data using the second shared key, and transfer the encoded enrolleetest data to the configurator. Also, the configurator processor isfurther arranged to decode the encoded enrollee test data using thesecond shared key, and cryptographically verify whether the enrolleetest data was encoded by the second shared key at the enrollee. Suchtest data can be considered to authorize the enrollee to theconfigurator.

In an embodiment of the above network system, the configurator processoris further arranged to generate configurator test data, encode theconfigurator test data using the second shared key, and transfer theencoded configurator test data to the enrollee. Also the enrolleeprocessor is further arranged to decode the encoded configurator testdata using the second shared key, and cryptographically verify whetherthe configurator test data was encoded by the second shared key at theconfigurator. Such test data can be considered to authorize theconfigurator to the enrollee.

In the following the network system and security protocols are describedin detail with reference to FIGS. 2-5.

FIG. 2 shows a first example of a network system and security protocol.Aspects of the system that correspond to the system described above withreference to FIG. 1 are not repeated here. An enrollee 210 is shown tocommunicate wirelessly according to a security protocol 200 with aconfigurator 230. Both devices are shown to communicate via a respectiveWi-Fi unit 240, 240′.

In the example, the security protocol provides authentication using twomessages. The first message is a network access request 250, whichcontains the following elements: H(CI), EE, {E-nonce, EN,E-Attributes}_(k1)

The second message is a network access response 260, which has thefollowing elements: H(CI), {E-nonce, [C-name,] [C-sign-key,]SecurityData}_(k2)

In the message the following elements are given:

H(CI) in the messages is a hash over Configurator Identity data, such asconfigurator public key;{Information}_(k) indicates information that is encrypted with key k;[Info] indicates optional information;EE in the message is a first enrollee public key;EN in the first message is a second enrollee public key;E-attributes is data defining the required network access;K₁ is a first shared key based the network public key and the firstenrollee private key;K₂ is a second shared key based on the first enrollee public key, thesecond enrollee public key and the network private key;E-nonce is a nonce provided by the enrollee;C-name is a name provided by the configurator;C-sign-key is a configurator reference of a public signature key or theconfigurator public signature key itself;SecurityData may be a signed public key of the enrollee EN, a Wi-Fipassphrase, etc.

H(CI) which is used as an indicator that this message is meant for theconfigurator, without making the configurator public key available tothe rest of the world. H(CI) in other messages is used as a simple wayto link the messages. The repetition of the nonces in messages is alsomeant to link the messages, but now in a cryptographically protectedway, since any device can respond with a message starting with H(CI).

The second message may comprise a certificate which may consist of aconfigurator name (C-name), a configurator reference of a signature key(C-sign-key), and the SecurityData. The SecurityData may be signed byConfigurator. The public key of Enrollee (EN) may be in theSecurityData.

FIG. 3 shows a second example of a network system and security protocol.Aspects of the protocol that correspond to the system described abovewith reference to FIG. 2 are not repeated here. In the example, thesecurity protocol 300 provides authentication using four messages. Theprotocol provides authentication with two extra messages for more secureauthentication compared to the above protocol 200.

The first message is a network access request 351, which contains thefollowing elements: H(CI), EE, {E-nonce, EN}_(k1)

The second message is an authentication response 352 and contains thefollowing elements: H(CI), {C-nonce|E-nonce}_(k1), {C-teStdata}_(k2)The third message is an authentication confirm 353 and contains thefollowing elements: H(CI), {E-testdata, E-Attributes}_(k2)The fourth message is a network access response 354 and contains thefollowing elements: H(CI), {[C-name,] [C-sign-key,] SecurityData}_(k2)In the exemplary embodiment the elements are named as follows:

configurator (230)

configurator public encryption information (CI)

configurator private encryption information (CIpr)

first authorization information (C-testdata)

encrypted first authorization information ({C-testdata})

second authorization information (E-testdata)

encrypted second authorization information ({E-testdata})

wireless output means (240′)

enrollee (210)

input means (113)

enrollee public network access encryption information (EN)

enrollee private network access encryption information (ENpr)

encrypted enrollee public network access encryption information ({EN})

enrollee public temporary encryption information (EE)

enrollee private temporary encryption information (EEpr)

second enrollee (120)

first signed network access information (SecurityData)

first shared key (k1)

second shared key (k2)

second signed network access information (SecurityData2)

wireless communication (150,150)

In the exemplary embodiment of the network system the protocol proceedsas follows. The wireless communication system has at least oneconfigurator (230) and at least one an enrollee (210). The configurator(230) and the enrollee (210) arranged for communication over wirelesscommunication. The enrollee (210) comprises an enrollee processor (112)and input means (113) using a technology other than the wirelesscommunication for reading or inputting configurator public encryptioninformation (CI). The enrollee also has enrollee public network accessencryption information (EN) and associated enrollee private networkaccess encryption information (ENpr). The enrollee processor is arrangedfor

generating enrollee public temporary encryption information (EE) andassociated enrollee private temporary encryption information (EEpr),

computing a first shared key (k1) using at least the configurator publicencryption information (CI) and the enrollee private temporaryencryption information (EEpr),

encrypting the enrollee public network access encryption information(EN) with the first shared key (k1) to form the encrypted enrolleepublic network access encryption information ({EN}),

sending the enrollee public temporary encryption information (EE) withthe encrypted enrollee public network access encryption information({EN}) to the configurator (230) over wireless communication.

It is noted that sending the public network key (EN) of the enrolleemeans that the initiator of the protocol is an enrollee wishing to beenrolled in the network of the responding partner and that the initiatorof the protocol is not acting as a configurator that wishes to configurethe responder as an enrollee in one of the networks managed by theinitiator of the protocol.

Subsequently, the enrollee processor may be arranged for, in a furthermessage,

receiving over wireless communication encrypted first authorizationinformation ({C-testdata}) from configurator (230),

computing second shared key (k2) using at least the configurator publicencryption information (CI), the enrollee private temporary encryptioninformation (EEpr) and the enrollee private network access encryptioninformation (ENpr),

decrypting the encrypted first authorization information ({C-testdata})from the configurator (230) to obtain the first authorizationinformation (C-testdata),

aborting the procedure if process to obtain first authorizationinformation (C-testdata) detected an error.

Subsequently, the enrollee processor may be arranged for, in a nextmessage,

generating second authorization information (E-testdata),

encrypting second authorization information (E-testdata) with secondshared key (k2) to form encrypted second authorization information({E-testdata}),

sending encrypted second authorization information ({E-testdata}) to theconfigurator (230) over wireless communication.

Subsequently, the enrollee processor may be arranged for, in the same orin a further message,

sending encrypted required configuration information ({E-attributes}) tothe configurator (230) over wireless communication.

Subsequently, the enrollee processor may be arranged for, in a nextmessage,

receiving over wireless communication first signed network accessinformation (SecurityData) from configurator (230),

aborting the procedure if first signed network access information(SecurityData) is not correctly signed.

Finally, the enrollee processor may be arranged for, in a furthermessage,

receiving second signed network access information (SecurityData2) froma second enrollee (120)

setting up secure communication with second enrollee (120) using firstsigned network access information (SecurityData) and second signednetwork access information (SecurityData2) and possibly also its privatenetwork access encryption information (ENpr).

In the exemplary embodiment of the network system the configurator (230)comprises a configurator processor (131). The configurator (230) furtherhas configurator public encryption information (CI) and associatedconfigurator private encryption information (CIpr). The configurator mayhave output means using a technology other than the wirelesscommunication for outputting or displaying configurator publicencryption information (CI), such as a display. The configuratorprocessor is arranged for

receiving the enrollee public temporary encryption information (EE) withthe encrypted enrollee public network access encryption information({EN}) from enrollee (210) over wireless communication,

computing a first shared key (k1) using at least the configuratorprivate encryption information (CIpr) and the enrollee public temporaryencryption information (EE),

decrypting the encrypted enrollee public network access encryptioninformation ({EN}) with the first shared key (k1) to obtain the enrolleepublic network access encryption information (EN),

aborting the procedure if process to obtain the enrollee public networkaccess encryption information (EN) detected an error,

generating first authorization information (C-testdata),

computing second shared key (k2) using at least the configurator privateencryption information (CIpr), the enrollee public temporary encryptioninformation (EE) and the enrollee public network access encryptioninformation (EN),

encrypting the first authorization information (C-testdata) to form theencrypted first authorization information ({C-testdata}),

sending over wireless communication encrypted first authorizationinformation ({C-testdata}) to enrollee (210).

Subsequently, the configurator processor may be arranged for, in afurther message,

receiving encrypted second authorization information ({E-testdata}) fromenrollee (210) over wireless communication,

decrypting encrypted second authorization information ({E-testdata})with second shared key (k2) to obtain second authorization information(E-testdata),

aborting the procedure if process to obtain second authorizationinformation (E-testdata) detected an error.

Subsequently, the configurator processor may be arranged for, in afurther message,

digitally signing enrollee public network access encryption information(EN),

using digitally signed enrollee public network access encryptioninformation (EN) to form first signed network access information(SecurityData),

sending over wireless communication first signed network accessinformation (SecurityData) to enrollee (210).

It is noted that various nonces (C-nonce, E-nonce) may be generated andadded to the messages and/or encrypted parts of such messages to makethe messages unique.

FIG. 4 shows a third example of a network system and security protocol.Aspects of the protocol that correspond to the system described abovewith reference to FIG. 3 are not repeated here. In the example, thesecurity protocol 400 provides authentication using five messages. Theprotocol provides authentication and network access provisioning partsin separated messages compared to the above protocols.

The first message is a network access request 451, which contains thefollowing elements: H(CI), EE, {E-nonce, EN}_(k1) The second message isan authentication response 452 and contains the following elements:H(CI), {C-nonce|E-nonce}_(k1), {C-teStdata}_(k2)

The third message is an authentication confirm 453 and contains thefollowing elements: H(CI), {E-testdata}_(k2)The fourth message is a network access information 454 and contains thefollowing elements: H(CI), {E-Attributes}_(k2)The fifth message is a network access response 455 and contains thefollowing elements: H(CI), {[C-name,] [C-sign-key,] SecurityData}_(k2)The first three messages provide authentication, where the fourth andfifth message provide network access provisioning.

FIG. 5 shows a fourth example of a network system and security protocol.

Aspects of the protocol that correspond to the system described abovewith reference to FIG. 2 are not repeated here. A network device NDEV510 communicates with an access point AP 530. In the example, thesecurity protocol 500 provides network access based on public keys. Theprotocol exchanges signed public keys contained in SecurityData, andcontinues to derive a Pairwise Master Key (PMK), for example the sharedsecret key used in the IEEE 802.11i-2004 protocol, for 4-way handshakeusing Diffie-Hellman.

The first message 551 contains the following elements: SecurityDatacontaining signed public key of the Network Device.

The second message 552 contains the following elements: SecurityDatacontaining signed public key of the Access Point.

A further message sequence 553 provides the following: 4-way Handshakeand WPA2 secured Wi-Fi communication. Wi-Fi Protected Access (WPA) andWi-Fi Protected Access II (WPA2) are two security protocols and securitycertification programs developed by the Wi-Fi Alliance to securewireless computer networks. The Alliance defined these in response toserious weaknesses researchers had found in the previous system, WiredEquivalent Privacy (WEP). WPA (sometimes referred to as the draft IEEE802.11i standard) became available in 2003. The Wi-Fi Alliance intendedit as an intermediate measure in anticipation of the availability of themore secure and complex WPA2. WPA2 became available in 2004 and is acommon shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004)standard; IEEE 802.11(2012) has incorporated IEEE 802.11i.

FIG. 6 shows a fifth example of a network system and security protocol.Aspects of the protocol that correspond to the system described abovewith reference to FIG. 5 are not repeated here. In the example, thesecurity protocol 600 provides network access based on Wi-Fi passphrase.The protocol derives the PMK for 4-way handshake from Wi-Fi passphrasein SecurityData.

A message sequence 651 provides the following: 4-way Handshake and WPA2secured Wi-Fi communication.

FIG. 7 shows an example of an enrollee method. The method is for use ina network device acting as enrollee in the network system as describedabove. The method starts at node START 701 and includes as a first stageACQP 702 acquiring a data pattern via an out-of-band channel by anenrollee sensor. The data pattern is provided in the area and representsthe network public key. In a next stage D_E_K1 703 a first shared key isderived based the network public key and the first enrollee private key,and the second enrollee public key is encoded using the first sharedkey. In a next stage G NAR 704 a network access request is generatedaccording to the security protocol. The network access request includesthe encoded second enrollee public key and the first enrollee publickey. The network access request is transferred to the configurator viathe wireless communication. In a next stage R NAM 705 the network accessmessage is received from the configurator via the wirelesscommunication. In a next stage DV_K2 706 the second shared key isderived based on the first enrollee private key, the second enrolleeprivate key and the network public key. Also it is verified whether atleast one of the protected security data and the protected configuratorpublic key was cryptographically protected by the second shared key. Ifthe protection is not correct the method returns to the start 701. Ifcorrect, in a next stage EN_SEC 707 the secure communication is engagedbased on the second enrollee private key and the security data. Themethod stops at node END 708.

FIG. 8 shows an example of a configurator method. The method is for usein a network device acting as configurator in the network system asdescribed above. The method starts at node START 801 and includes as afirst stage R NAR 802 receiving the network access request from theenrollee via the wireless communication. In a next stage D_D_K1 803 thefirst shared key is derived based on the network private key and thefirst enrollee public key. Also the encoded second enrollee public keyis decoded using the first shared key. In a next stage V_K1 804 it isverified whether the encoded second enrollee public key was encoded bythe first shared key. If the protection is not correct the methodreturns to the start 801. If correct, in a next stage GSD 805 securitydata is generated using the second enrollee public key and theconfigurator private key. In a next stage D_P_K2 806 a second shared keyis derived based on the first enrollee public key, the second enrolleepublic key and the network private key. Also at least one of thesecurity data and configurator public key are cryptographicallyprotected using the second shared key. Then in next stage G NAM 807 thenetwork access message is generated according to the security protocol.The network access message includes at least one of the protectedsecurity data and protected configurator public key. The method stops atnode END 808.

Computer program products, downloadable from a network and/or stored ona computer-readable medium and/or microprocessor-executable medium, areprovided that comprise program code instructions for implementing theabove methods when executed on a computer for protecting locationinformation, as elucidated further below.

Typically, each network comprises a processor which executes appropriatesoftware stored at the devices; for example, that software may have beendownloaded and/or stored in a corresponding memory, e.g., a volatilememory such as RAM or a non-volatile memory such as Flash (not shown).The mobile device and servers may for example be equipped withmicroprocessors and memories (not shown). Alternatively, the enrolleeand configurator may, in whole or in part, be implemented inprogrammable logic, e.g., as field-programmable gate array (FPGA). Themobile device and servers may be implemented, in whole or in part, as aso-called application-specific integrated circuit (ASIC), i.e. anintegrated circuit (IC) customized for their particular use. Forexample, the circuits may be implemented in CMOS, e.g., using a hardwaredescription language such as Verilog, VHDL etc. In practice, thelocation engine may be implemented via a library of software subroutinesthat is linked to an operating system of a mobile device.

Many different ways of executing the method are possible, as will beapparent to a person skilled in the art. For example, the order of thestages or steps can be varied or some stages may be executed inparallel. Moreover, in between steps other method steps may be inserted.The inserted steps may represent refinements of the method such asdescribed herein, or may be unrelated to the method. Moreover, a givenstep may not have finished completely before a next step is started.

A method according to the invention may be executed using software,which comprises instructions for causing a processor system to performthe respective method. Software may only include those steps taken by aparticular sub-entity of the system. The software may be stored in asuitable storage medium, such as a hard disk, a floppy, a memory etc.The software may be sent as a signal along a wire, or wireless, or usinga data network, e.g., the Internet. The software may be made availablefor download and/or for remote usage on a server. It will be appreciatedthat the software may be in the form of source code, object code, a codeintermediate source and object code such as partially compiled form, orin any other form suitable for use in the implementation of the methodaccording to the invention. An embodiment relating to a computer programproduct comprises computer executable instructions corresponding to eachof the processing steps of at least one of the methods set forth. Theseinstructions may be subdivided into subroutines and/or be stored in oneor more files that may be linked statically or dynamically. Anotherembodiment relating to a computer program product comprises computerexecutable instructions corresponding to each of the means of at leastone of the systems and/or products set forth.

FIG. 9a shows a computer readable medium 1000 having a writable part1010 comprising a computer program 1020, the computer program 1020comprising instructions for causing a processor system to perform one ormore methods in the system for protecting location information,according to an embodiment of the provider server method, the locationserver method, the location engine method or the location basedapplication method as described with reference to FIG. 2-8. The computerprogram 1020 may be embodied on the computer readable medium 1000 asphysical marks or by means of magnetization of the computer readablemedium 1000. However, any other suitable embodiment is conceivable aswell. Furthermore, it will be appreciated that, although the computerreadable medium 1000 is shown here as an optical disc, the computerreadable medium 1000 may be any suitable computer readable medium, suchas a hard disk, solid state memory, flash memory, etc., and may benon-recordable or recordable. The computer program 1020 comprisesinstructions for causing a processor system to perform said methods.

FIG. 9b shows in a schematic representation of a processor system 1100according to an embodiment of the provider server, the location serveror the mobile device. The processor system comprises one or moreintegrated circuits 1110. The architecture of the one or more integratedcircuits 1110 is schematically shown in the Figure. Circuit 1110comprises a processing unit 1120, e.g., a CPU, for running computerprogram components to execute a method according to an embodiment and/orimplement its modules or units. Circuit 1110 comprises a memory 1122 forstoring programming code, data, etc. Part of memory 1122 may beread-only. Circuit 1110 may comprise a communication element 1126, e.g.,an antenna, connectors or both, and the like. Circuit 1110 may comprisea dedicated integrated circuit 1124 for performing part or all of theprocessing defined in the method. Processor 1120, memory 1122, dedicatedIC 1124 and communication element 1126 may be connected to each othervia an interconnect 1130, say a bus. The processor system 1110 may bearranged for contact and/or contact-less communication, using an antennaand/or connectors, respectively.

It will be appreciated that, for clarity, the above description hasdescribed embodiments of the invention with reference to differentfunctional units and processors. However, it will be apparent that anysuitable distribution of functionality between different functionalunits or processors may be used without deviating from the invention.For example, functionality illustrated to be performed by separateunits, processors or controllers may be performed by the same processoror controllers. Hence, references to specific functional units are onlyto be seen as references to suitable means for providing the describedfunctionality rather than indicative of a strict logical or physicalstructure or organization. The invention can be implemented in anysuitable form including hardware, software, firmware or any combinationof these.

It is noted that in this document the word ‘comprising’ does not excludethe presence of elements or steps other than those listed and the word‘a’ or ‘an’ preceding an element does not exclude the presence of aplurality of such elements, that any reference signs do not limit thescope of the claims, that the invention may be implemented by means ofboth hardware and software, and that several ‘means’ or ‘units’ may berepresented by the same item of hardware or software, and a processormay fulfill the function of one or more units, possibly in cooperationwith hardware elements. Further, the invention is not limited to theembodiments, and the invention lies in each and every novel feature orcombination of features described above or recited in mutually differentdependent claims.

REFERENCE DOCUMENTS

-   [1] Wi-Fi Simple Configuration Technical Specification Version    2.0.5, Wi-Fi Alliance 2014-August 2004; available from    https://www.wi-fi.org/file/wi-fi-simple-configuration-technical-specification-v205-   [2] RFC 5297, Synthetic Initialization Vector (SIV) Authenticated    Encryption Using the Advanced Encryption Standard (AES)-   [3] DTLS-HIMMO: Efficiently Securing a PQ world with a    fully-collusion resistant KPS, Oscar Garcia-Morchon, Ronald Rietman,    Sahil Sharma, Ludo Tolhuizen, Jose Luis Torre-Arce;    http://csrc.nist.gov/groups/ST/post-quantum-2015/presentations/session7-garcia-morchon.pdf-   [4] IEEE Computer Society, “IEEE Standard for Information    Technology-Telecommunications and Information Exchange Between    Systems Local and Metropolitan Area Networks Specific requirements    Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer    (PHY) Specifications,” (IEEE Std. 802.11-2012), March 2012

1. An enrollee device for use in a network system arranged for wirelesscommunication between network devices in an area and for securecommunication according to a security protocol, the network systemcomprising: a network device arranged to act as the enrollee deviceaccording to the security protocol for getting access to the network,and a network device arranged to act as a configurator device accordingto the security protocol for enabling access to the network by theenrollee device; wherein the configurator device comprises aconfigurator communication unit arranged to receive, from the enrolleedevice, a network access request according to the security protocol, thenetwork access request including an encoded second enrollee public keyand a first enrollee public key, and a configurator processor comprisinga memory arranged to have, for the configurator device, a configuratorpublic key and a corresponding configurator private key and to have, forthe network system, a network public key and a corresponding networkprivate key, the configurator processor arranged to derive a firstshared key based on the network private key and the first enrolleepublic key, decode the encoded second enrollee public key using thefirst shared key, verify whether the encoded second enrollee public keywas encoded by the first shared key and, if so, generate security datausing the second enrollee public key and the configurator private key,derive a second shared key based on the first enrollee public key, thesecond enrollee public key and the network private key, protectcryptographically, using the second shared key, at least one of thesecurity data and configurator public key, and generate a network accessmessage according to the security protocol, the network access messageincluding at least one of the protected security data and protectedconfigurator public key; the enrollee device comprising an enrolleewireless communication unit arranged for wireless communication; anenrollee sensor arranged to acquire a data pattern via an out-of-bandchannel, the data pattern being provided in the area and representingthe network public key; and an enrollee processor comprising a memoryarranged to have the first enrollee public key and a corresponding firstenrollee private key and to have the second enrollee public key and acorresponding second enrollee private key, the enrollee processorarranged to derive the first shared key based on the network public keyand the first enrollee private key, encode the second enrollee publickey using the first shared key, generate the network access requestaccording to the security protocol, the network access request includingthe encoded second enrollee public key and the first enrollee publickey, and transfer the network access request to the configurator devicevia the enrollee wireless communication unit; the enrollee processorfurther arranged to receive the network access message from theconfigurator via the enrollee wireless communication unit, derive thesecond shared key based on the first enrollee private key, the secondenrollee private key and the network public key, verify whether at leastone of the protected security data and the protected configurator publickey was cryptographically protected by the second shared key and, if so,engage the secure communication based on the second enrollee private keyand the security data.
 2. The enrollee device as claimed in claim 1,wherein the enrollee processor is arranged to generate a temporaryenrollee public key and a corresponding temporary enrollee private key,which keys constitute the first enrollee public key and thecorresponding first enrollee private key; and/or the enrollee processoris arranged to generate a further temporary enrollee public key and acorresponding further temporary enrollee private key, which keysconstitute the second enrollee public key and the corresponding secondenrollee private key.
 3. The enrollee device as claimed in claim 1, theconfigurator processor being further arranged to generate the securitydata by providing a configurator session key and transferring theconfigurator session key to the enrollee; wherein the enrollee processoris further arranged to receive the configurator session key and engagethe secure communication based on the configurator session key.
 4. Theenrollee device as claimed in claim 1, the configurator processor beingfurther arranged to generate a configurator session public key and acorresponding configurator session private key, derive a third sharedkey based on the configurator session private key and the secondenrollee public key, and transfer the configurator session public key tothe enrollee; wherein the enrollee processor is further arranged toreceive the configurator session public key, derive the third shared keybased on the second enrollee private key and the configurator sessionpublic key and engage secure communication based on the third sharedkey.
 5. The enrollee device as claimed in claim 1, the network systemcomprising a further network device arranged to receive the secondenrollee public key and the security data, provide a session networkpublic key and a corresponding session network private key, derive afifth shared key based on the session network private key and the secondenrollee public key and transferring the session network public key tothe enrollee; wherein the enrollee processor is further arranged toreceive the session network public key, derive the fifth shared keybased on the second enrollee private key and the session network publickey, and engage securely communication with the further network devicebased on the fifth shared key.
 6. The enrollee device as claimed inclaim 1, the configurator processor being further arranged to generatethe security data comprising a digital signature by digitally signingthe second enrollee public key with the configurator private key, totransfer the digital signature to a third device and/or to the enrolleefor enabling secure communication between the enrollee and the thirddevice; wherein the enrollee processor is further arranged to receivethe digital signature, verify, based on the digital signature and theconfigurator public key, whether the second enrollee public key wascorrectly signed and, if so, engage the secure communication based onthe second enrollee private key.
 7. The enrollee device as claimed inclaim 6, wherein the network system comprises a further network devicearranged to obtain the configurator public key, receive the digitalsignature and the second enrollee public key, verify, based on thedigital signature and the configurator public key, whether the secondenrollee public key was correctly signed and, if so, engage the securecommunication with the enrollee device based on the second enrolleepublic key.
 8. The enrollee device as claimed in claim 1, theconfigurator processor being further arranged to generate furthersecurity data comprising a further digital signature by digitallysigning, with the configurator private key, a further public key of afurther network device; wherein the enrollee processor is furtherarranged for using the further security data by receiving the furtherpublic key and the further digital signature, verifying, based on thefurther digital signature and the configurator public key, whether thefurther public key was correctly signed and, if so, securelycommunicating with the further network device using the second enrolleeprivate key and the further public key.
 9. The enrollee device asclaimed in claim 1, the configurator processor being further arranged todecode encoded enrollee test data using the second shared key, verifywhether the enrollee test data was encoded by the second shared key atthe enrollee wherein the enrollee processor is further arranged togenerate the enrollee test data, encode the enrollee test data using thesecond shared key, transfer the encoded enrollee test data to theconfigurator.
 10. The enrollee device as claimed in claim 1, theconfigurator processor being further arranged to generate configuratortest data, encode the configurator test data using the second sharedkey, transfer the encoded configurator test data to the enrollee;wherein the enrollee processor is further arranged to decode the encodedconfigurator test data using the second shared key, verify whether theconfigurator test data was encoded by the second shared key at theconfigurator.
 11. Enrollee method for use in a network system arrangedfor wireless communication between network devices in an area and forsecure communication according to a security protocol, the networksystem comprising a network device executing the enrollee method to actas an enrollee device according to the security protocol for gettingaccess to the network, and a network device arranged to act as aconfigurator device according to the security protocol for enablingaccess to the network by the enrollee device; wherein the configuratordevice comprises a configurator communication unit arranged to receive,from the enrollee device, a network access request according to thesecurity protocol, the network access request including an encodedsecond enrollee public key and a first enrollee public key, and aconfigurator processor comprising a memory arranged to have, for theconfigurator device, a configurator public key and a correspondingconfigurator private key and to have, for the network system, a networkpublic key and a corresponding network private key, the configuratorprocessor arranged to derive a first shared key based on the networkprivate key and the first enrollee public key, decode the encoded secondenrollee public key using the first shared key, verify whether theencoded second enrollee public key was encoded by the first shared keyand, if so, generate security data using the second enrollee public keyand the configurator private key, derive a second shared key based onthe first enrollee public key, the second enrollee public key and thenetwork private key, protect cryptographically, using the second sharedkey, at least one of the security data and configurator public key, andgenerate a network access message according to the security protocol,the network access message including at least one of the protectedsecurity data and protected configurator public key; the enrollee methodcomprising storing the first enrollee public key and a correspondingfirst enrollee private key and the second enrollee public key and acorresponding second enrollee private key, acquiring a data pattern viaan out-of-band channel, the data pattern being provided in the area andrepresenting the network public key, deriving the first shared key basedon the network public key and the first enrollee private key, encodingthe second enrollee public key using the first shared key, generatingthe network access request according to the security protocol, thenetwork access request including the encoded second enrollee public keyand the first enrollee public key, and transferring the network accessrequest to the configurator device via the enrollee wirelesscommunication unit; the enrollee method further comprising receiving thenetwork access message from the configurator, deriving the second sharedkey based on the first enrollee private key, the second enrollee privatekey and the network public key, verifying whether at least one of theprotected security data and the protected configurator public key wascryptographically protected by the second shared key and, if so,engaging the secure communication based on the second enrollee privatekey and the security data.
 12. Configurator method for use in a networksystem arranged for wireless communication between network devices in anarea and for secure communication according to a security protocol, thenetwork system comprising a network device arranged to act as anenrollee device according to the security protocol for getting access tothe network, and a network device executing the configurator method toact as a configurator device according to the security protocol forenabling access to the network by the enrollee device; wherein theenrollee device comprises an enrollee wireless communication unitarranged for wireless communication; an enrollee sensor arranged toacquire a data pattern via an out-of-band channel, the data patternbeing provided in the area and representing a network public key; and anenrollee processor comprising a memory arranged to have a first enrolleepublic key and a corresponding first enrollee private key and to have asecond enrollee public key and a corresponding second enrollee privatekey, the enrollee processor arranged to derive a first shared key basedon the network public key and the first enrollee private key, encode thesecond enrollee public key using the first shared key, generate anetwork access request according to the security protocol, the networkaccess request including the encoded second enrollee public key and thefirst enrollee public key, and transfer the network access request tothe configurator device via the enrollee wireless communication unit;the enrollee processor further arranged to receive a network accessmessage from the configurator via the enrollee wireless communicationunit, the network access message including at least one of protectedsecurity data and a protected configurator public key, derive a secondshared key based on the first enrollee private key, the second enrolleeprivate key and the network public key, verify whether at least one ofthe protected security data and the protected configurator public keywas cryptographically protected by the second shared key and, if so,engage the secure communication based on the second enrollee private keyand the security data; the configurator method comprising storing, forthe configurator device, the configurator public key and a correspondingconfigurator private key and, for the network system, the network publickey and a corresponding network private key, receiving, from theenrollee device, the network access request according to the securityprotocol, the network access request including the encoded secondenrollee public key and the first enrollee public key, deriving thefirst shared key based on the network private key and the first enrolleepublic key, decoding the encoded second enrollee public key using thefirst shared key, verifying whether the encoded second enrollee publickey was encoded by the first shared key, and, if so, generating thesecurity data using the second enrollee public key and the configuratorprivate key, deriving the second shared key based on the first enrolleepublic key, the second enrollee public key and the network private key,protecting cryptographically, using the second shared key, at least oneof the security data and the configurator public key, and generating thenetwork access message according to the security protocol. 13.Configurator device for use in a network system arranged for wirelesscommunication between network devices in an area and for securecommunication according to a security protocol, the network systemcomprising a network device arranged to act as an enrollee deviceaccording to the security protocol for getting access to the network,and a network device arranged to act as the configurator deviceaccording to the security protocol for enabling access to the network bythe enrollee device; wherein the enrollee device comprises an enrolleewireless communication unit arranged for wireless communication; anenrollee sensor arranged to acquire a data pattern via an out-of-bandchannel, the data pattern being provided in the area and representing anetwork public key; and an enrollee processor comprising a memoryarranged to have a first enrollee public key and a corresponding firstenrollee private key and to have a second enrollee public key and acorresponding second enrollee private key, the enrollee processorarranged to derive a first shared key based on the network public keyand the first enrollee private key, encode the second enrollee publickey using the first shared key, generate a network access requestaccording to the security protocol, the network access request includingthe encoded second enrollee public key and the first enrollee publickey, and transfer the network access request to the configurator devicevia the enrollee wireless communication unit; the enrollee processorfurther arranged to receive a network access message from theconfigurator via the enrollee wireless communication unit, the networkaccess message including at least one of protected security data and aprotected configurator public key, derive a second shared key based onthe first enrollee private key, the second enrollee private key and thenetwork public key, verify whether at least one of the protectedsecurity data and the protected configurator public key wascryptographically protected by the second shared key and, if so, engagethe secure communication based on the second enrollee private key andthe security data; the configurator device comprising a configuratorcommunication unit arranged to receive, from the enrollee device, thenetwork access request according to the security protocol, the networkaccess request including the encoded second enrollee public key and thefirst enrollee public key, and a configurator processor comprising amemory arranged to have, for the configurator device, the configuratorpublic key and a corresponding configurator private key and to have, forthe network system, the network public key and a corresponding networkprivate key, the configurator processor arranged to derive the firstshared key based on the network private key and the first enrolleepublic key, decode the encoded second enrollee public key using thefirst shared key, verify whether the encoded second enrollee public keywas encoded by the first shared key, and, if so, generate the securitydata using the second enrollee public key and the configurator privatekey, derive the second shared key based on the first enrollee publickey, the second enrollee public key and the network private key, protectcryptographically, using the second shared key, at least one of thesecurity data and the configurator public key, and generate the networkaccess message according to the security protocol.
 14. The configuratordevice as claimed in claim 13, wherein the configurator processor isarranged to generate a temporary network public key and a correspondingtemporary network private key, which keys constitute the network publickey and the corresponding network private key.
 15. The configuratordevice as claimed in the enrollee processor being further arranged toreceive a configurator session public key, derive a third shared keybased on the second enrollee private key and the configurator sessionpublic key and engage secure communication based on the third sharedkey; wherein the configurator processor is further arranged to generatethe configurator session public key and a corresponding configuratorsession private key, derive the third shared key based on theconfigurator session private key and the second enrollee public key, andtransfer the configurator session public key to the enrollee.
 16. Theenrollee device as claimed in claim 13, wherein the configuratorprocessor is further arranged to generate the security data comprising adigital signature by digitally signing the second enrollee public keywith the configurator private key, to transfer the digital signature toa third device and/or to the enrollee for enabling secure communicationbetween the enrollee and the third device.
 17. The configurator deviceas claimed in claim 13, the enrollee processor being further arrangedfor using further security data by receiving a further public key and afurther digital signature, verifying, based on the further digitalsignature and the configurator public key, whether the further publickey was correctly signed and, if so, securely communicating with afurther network device using the second enrollee private key and thefurther public key; wherein the configurator processor is furtherarranged to generate the further security data comprising the furtherdigital signature by digitally signing, with the configurator privatekey, the further public key of the further network device.
 18. Theconfigurator device as claimed in claim 13, the enrollee processor beingfurther arranged to generate enrollee test data, encode the enrolleetest data using the second shared key, transfer the encoded enrolleetest data to the configurator; wherein the configurator processor isfurther arranged to decode the encoded enrollee test data using thesecond shared key, verify whether the enrollee test data was encoded bythe second shared key at the enrollee.
 19. The configurator device asclaimed in claim 1, the enrollee processor being further arranged todecode encoded configurator test data using the second shared key,verify whether the configurator test data was encoded by the secondshared key at the configurator; wherein the configurator processor isfurther arranged to generate the configurator test data, encode theconfigurator test data using the second shared key, transfer the encodedconfigurator test data to the enrollee.
 20. A non-transitorycomputer-readable medium having one or more executable instructionsstored thereon, which when executed by a processor, cause the processorto perform a configurator method for use in a network system arrangedfor wireless communication between network devices in an area and forsecure communication according to a security protocol, the networksystem comprising: a network device arranged to act as an enrolleedevice according to the security protocol for getting access to thenetwork, and a network device executing the configurator method to actas a configurator device according to the security protocol for enablingaccess to the network by the enrollee device; wherein the enrolleedevice comprises an enrollee wireless communication unit arranged forwireless communication; an enrollee sensor arranged to acquire a datapattern via an out-of-band channel, the data pattern being provided inthe area and representing a network public key; and an enrolleeprocessor comprising a memory arranged to have a first enrollee publickey and a corresponding first enrollee private key and to have a secondenrollee public key and a corresponding second enrollee private key, theenrollee processor arranged to derive a first shared key based on thenetwork public key and the first enrollee private key, encode the secondenrollee public key using the first, shared key, generate a networkaccess request according to the security protocol, the network accessrequest including the encoded second enrollee public key and the firstenrollee public key, and transfer the network access request to theconfigurator device via the enrollee wireless communication unit;receive a network access message from the configurator via the enrolleewireless communication unit, the network access message including atleast one of protected security data and a protected configurator publickey, derive a second shared key based on the first enrollee private key,the second enrollee private key and the network public key, verifywhether at least one of the protected security data and the protectedconfigurator public key was cryptographically protected by the secondshared key and, if so, engage the secure communication based on thesecond enrollee private key and the security data; the configuratormethod comprising storing, for the configurator device, the configuratorpublic key and a corresponding configurator private key and, for thenetwork system, the network public key and a corresponding networkprivate key, receiving, from the enrollee device, the network accessrequest according to the security protocol, the network access requestincluding the encoded second enrollee public key and the first enrolleepublic key, deriving the first, shared key based on the network privatekey and the first enrollee public key, decoding the encoded secondenrollee public key using the first shared key, verifying whether theencoded second enrollee public key was encoded by the first shared keyand, if so generating the security data using the second enrollee publickey and the configurator private key, deriving the second shared keybased on the first enrollee public key, the second enrollee public keyand the network private key, protecting cryptographically, using thesecond shared key, at least one of the security data and theconfigurator public key, and generating the network access messageaccording to the security protocol.